This matter comes before the Court upon the motion filed by Defendants Myra J. Biblowit, James E. Buckman, Eric A. Danziger, George Herrera, Stephen P. Holmes, Scott G. McLester, Brian Mulroney, Pauline D.E. Richards, Steven A. Rudnitsky, Michael H. Wargotz, and Wyndham Worldwide Corporation (collectively "Defendants") to dismiss the Complaint pursuant to Rules 23.1(b) and 12(b)(6) of the Federal Rules of Civil Procedure. Plaintiff Dennis Palkon ("Plaintiff") opposes the motion. The Court has considered the parties' submissions. For the reasons that follow, the Court grants the motion to dismiss, and the case will be closed.

I. BACKGROUND

This case involves a shareholder who seeks to compel a corporate board of directors to bring a lawsuit on the company's behalf. The shareholder's proposed suit pertains to breaches of the company's online networks, during which hackers accessed the personal and financial information of a large number of customers. The Court has jurisdiction over this action pursuant to 28 U.S.C. § 1332(a)(2), as the parties are citizens of different states and the amount in controversy exceeds $75, 000. The Court draws the following facts from the complaint, and assumes them to be true for purposes of this motion only.

A. Facts

Wyndham Worldwide Corporation ("WWC") is a large hospitality company that operates hotels and resorts globally. The company is incorporated in Delaware and headquartered in Parsippany, New Jersey. As part of the hospitality business, WWC's subsidiaries often collect customers' personal and financial data. WWC hotels let customers make room reservations online, which requires the customers to enter their personal credit card information.

On three occasions between April 2008 and January 2010, that information was stolen. Hackers breached WWC's main network and those of its hotels. They performed a "brute force attack, " which means they guessed user IDs and passwords to enter an administrator's account, and then used "memory-scraping malware" to collect sensitive data. Through these methods, the hackers obtained the personal information of over six-hundred thousand customers.

In April 2010, the Federal Trade Commission ("FTC") began to investigate the cyberattacks against WWC, and in June 2012, it commenced a legal action against the company for its security practices. WWC retained the law firm of Kirkland & Ellis, LLP ("Kirkland") to represent it in the FTC action.

In November 2012, a WWC shareholder sent a letter to WWC's Board of Directors ("the Board") demanding that it bring a lawsuit based on the online breaches. The Board instructed its Audit Committee to evaluate the demand. That committee then consulted with Kirkland, which found that the "shareholder demand letter [was] not well grounded." On March 5, 2013, the Audit Committee recommended that WWC not bring the lawsuit, and on March 11, the full Board voted to adopt that recommendation.

Approximately three months later, on June 11, 2013, Plaintiff Dennis Palkon ("Plaintiff") sent a letter to the Board similarly demanding that it "investigate, address, and promptly remedy the harm inflicted" on the company by the breaches. Plaintiff is a Pennsylvania resident who owned shares of WWC when it was hacked. WWC's General Counsel, Scott McLester ("McLester"), wrote to Plaintiff on June 28 that he had submitted the demand to the Board.

The Board met on August 8 to discuss Plaintiff's demand as well as developments in the FTC action. The Board voted unanimously not to pursue Plaintiff's proposed litigation. On August 20, McLester wrote to Plaintiff's counsel to report that the Board had found it "not in the best interests of [WWC] to pursue the claims" in Plaintiff's demand. The letter further provided that the Board was declining Plaintiff's demand for the same reasons it had refused the earlier, November 2012 demand, which was "virtually identical." Plaintiff is represented by the same counsel who pursued that earlier demand.

Although it decided not to bring a lawsuit based on the breaches, the Board discussed the cyber-attacks, WWC's security policies, and proposed security enhancements at fourteen meetings between October 2008 and August 2012. The Audit Committee reviewed the same matters in at least sixteen meetings during that period. WWC hired technology firms to investigate each breach and to issue recommendations on enhancing the company's security. Following the second and third breaches, WWC began to implement those recommendations.

B. Procedural History and Defendants' Motion to Dismiss

On February 25, 2014, Plaintiff filed a derivative lawsuit against WWC and numerous of its corporate officials. At the heart of Plaintiff's Complaint is an assertion that Defendants failed to implement adequate data-security mechanisms, such as firewalls and elaborate passwords, and that this failure allowed hackers to steal customers' data. He further claims that Defendants failed to timely disclose the data breaches after they occurred. Plaintiff claims that these actions damaged WWC's reputation and cost it significant ...

Our website includes the first part of the main text of the court's opinion.
To read the entire case, you must purchase the decision for download. With purchase,
you also receive any available docket numbers, case citations or footnotes, dissents
and concurrences that accompany the decision.
Docket numbers and/or citations allow you to research a case further or to use a case in a
legal proceeding. Footnotes (if any) include details of the court's decision. If the document contains a simple affirmation or denial without discussion,
there may not be additional text.

Buy This Entire Record For
$7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.